[PATCH 08/11] netfilter: ipset: enable memory accounting for ipset allocations

Pablo Neira Ayuso Sun, 04 Oct 2020 12:51:15 -0700

From: Vasily Averin <v...@virtuozzo.com>

Currently netadmin inside non-trusted container can quickly allocate
whole node's memory via request of huge ipset hashtable.
Other ipset-related memory allocations should be restricted too.


v2: fixed typo ALLOC -> ACCOUNT

Signed-off-by: Vasily Averin <v...@virtuozzo.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
 net/netfilter/ipset/ip_set_core.c | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c 
b/net/netfilter/ipset/ip_set_core.c
index 920b7c4331f0..6f35832f0de3 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -250,22 +250,7 @@ EXPORT_SYMBOL_GPL(ip_set_type_unregister);
 void *
 ip_set_alloc(size_t size)
 {
-       void *members = NULL;
-
-       if (size < KMALLOC_MAX_SIZE)
-               members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-
-       if (members) {
-               pr_debug("%p: allocated with kmalloc\n", members);
-               return members;
-       }
-
-       members = vzalloc(size);
-       if (!members)
-               return NULL;
-       pr_debug("%p: allocated with vmalloc\n", members);
-
-       return members;
+       return kvzalloc(size, GFP_KERNEL_ACCOUNT);
 }
 EXPORT_SYMBOL_GPL(ip_set_alloc);
 
-- 
2.20.1

[PATCH 08/11] netfilter: ipset: enable memory accounting for ipset allocations

Reply via email to